@Stanislav Zhelyazkov 

When I am running below query, always getting 0 results even if selecting time rage 4 months or more :

Event
| where EventLog == "System" and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

Also is it ok to use this to fetch :

ConfigurationData
| where SvcName =~ "w3svc"
| where SvcState != "Running"
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated, SvcStartupType, SvcAccount, SourceSystem

As in your blog you have said change tracking is having some delay to collect data.

@Rahul_Mahajan For the first query you need to ingest the System log from all your Windows machines. In overall I would recommend using Change Tracking (ConfigurationData) if you are already using it or if the cost of that data is ok with you. The good thing with Azure Monitor is that there are multiple paths for some things.

Keep in mind that when you have to build the query for the alert it needs to have certain things like AggregatedValue. In the book example you will see how the query looks.

@Rahul_Mahajan Download the book I have pasted link to. Open Chapter 10 - section Automated Alert Remediation. Read it. The latest working code is here: https://github.com/slavizh/InsideAzureMgmt-1/tree/master/Chapter10/Remediate soon the book will be updated with that code.

@Stanislav ZhelyazkovThanks for specifics.

Also is there any way to monitor all SQL database in Azure SQL servers as we have few databases which are keep spiking CPU usage and causing issues. 

@Rahul_Mahajan It is best to open new threads for new issues/questions. That way other folks will find information easier. Azure SQL has diagnostic logs and metrics which can be send to Log Analytics and you can create alerts based on them. Even without sending metrics to Log Analytics you can create metric alerts (those are per resource).

When I am trying to change - change tracking frequency to 10 seconds its not working. it says task completed successfully but again it revert back to 30 seconds.

Can someone confirm which level of access is required to do this task and also how to easily identify in future which level of access is required for other tasks in Azure monitoring and Update management.

@Rahul_Mahajan To change that setting you need contributor access on the Log Analytics workspace.

@Stanislav Zhelyazkov 

Hello Stanislav,

I am trying to write a query to get results when ‘Service A’ is in running state and ‘Service B’ is in stopped state. I am getting 0 results. Below is the query

Event
| where EventLog == ‘System’ and EventID == 7036 and Source == ‘Service Control Manager’
| parse kind=relaxed EventData with * ” Windows_Service_Name ” Windows_Service_State ” *
| where Windows_Service_Name == “Service A” and Windows_Service_State == “running”
| where Windows_Service_Name == “Service B” and Windows_Service_State == “stopped”
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

Appreciate your response.

@Stanislav Zhelyazkov Stanislav Zhelyazkov 

Is there any other MP to monitor all windows services using a “Monitor” (not Rule) ?

Currently we are monitoring windows services using a "Rule" which needs manual intervention to close the Service alerts in SCOM to avoid that we are looking for a MP to monitor all windows services using a “Monitor” which will close the alert automatically once the service is up.

Please let me know if there is any such MP to make this possible.

Thanks in Advance !!